How to prevent it?
- Don't link your phone # to any social media site. Use email only to recover your accounts.
- Be sure to use apps that have "end-to-end encryption" to encrypt your data.
- Always use Two-Factor Authentication. Do not use 2FA that uses SMS text for receiving codes. Use the apps.
"As an added precaution, we recommend turning on two-factor authentication, called Login Approvals, in your Facebook security settings. Doing this will disable recovery via SMS on your account so even if someone has your phone number, they'll still need your password to access your account." - Facebook Spokesperson
How do Hackers do it?
- It doesn't matter how strong your password is or how many extra security measures you use.
- Hackers are exploiting the SS7 (Signalling System Number 7) network. All they need is your phone number.
- Not only can they access your social media accounts, they can listen to private calls and intercept SMS messages.
- The SS7 network trust text messages sent over it regardless of the origin. Hackers trick the system into diverting messages as well as calls to their devices.
- The hacker first clicks on the "Forgot account?" account link on Facebook, provides the targets phone number and diverts the SMS containing a one-time passcode (OTP) to their own phone or computer. They can then login to the subjects account.
Am I affected?
- All Facebook users are affected who have registered a phone number with Facebook and have authorized Facebook texts.
- Gmail and Twitter have also left their doors open to this method of attack.
Who's to blame?
- Not Facebook or any other social media site. This is a weakness in the telecom network.
While the telecoms are definitely to blame for their crappy security, I also blame Facebook, Google, etc. too.
I always got pissed off when Gmail recommended to me to add my phone number for "added security". And I always refused to do it because I knew it would make my existing password recovery system less secure exactly because of these sorts of attacks.